New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encryption.CheckAuthorization not working for multi-arch images #69
Comments
Do you have examples of command lines that you used and ran into this issue? |
Result: The without_key container runs without providing the private key. |
And you are trying this on something other than amd64? |
Yes, on raspberry(armv6l). This issue is rarely reproducible on an amd64 machine as usually, this is the first manifest in the index descriptor. In the case of docker.io/library/bash:latest the first manifest is indeed the amd64 one, so you won't be able to reproduce it on amd64 machine. |
I am running this now on a ppc64 machine. There's a test case in imgcrypt/script/tests/test_encryption.sh Lines 345 to 359 in 727850f
Unfortunately it's passing as expected, meaning it refuses to run the encrypted container image without key and runs it when the key is provided. |
So the problem with the test case is that for this image imgcrypt/script/tests/test_encryption.sh Line 166 in 727850f
If one doesn't pull |
Create a reproducing test case for issue #69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue containerd#69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue containerd#69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue containerd#69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue containerd#69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to properly perform an authorization check on an image we need to know the platform to perform check when in cryptManifestList(). Extend the logic for cryptoOp == cryptoOpUnwrapOnly to skip over manifests that do not correspond to the local platform and return an error if no manifest was found that matches the local platform. Resolves: containerd#69 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue containerd#69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to properly perform an authorization check on an image we need to know the platform to perform check when in cryptManifestList(). Extend the logic for cryptoOp == cryptoOpUnwrapOnly to skip over manifests that do not correspond to the local platform and return an error if no manifest was found that matches the local platform. Resolves: containerd#69 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
I now have a pending PR. @dimitar-dimitrow , maybe you can give it a try. |
Create a reproducing test case for issue containerd#69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to properly perform an authorization check on an image we need to know the platform to perform check when in cryptManifestList(). Extend the logic for cryptoOp == cryptoOpUnwrapOnly to skip over manifests that do not correspond to the local platform and return an error if no manifest was found that matches the local platform. Resolves: containerd#69 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to properly perform an authorization check on an image we need to know the platform to perform check when in cryptManifestList(). Extend the logic for cryptoOp == cryptoOpUnwrapOnly to skip over manifests that do not correspond to the local platform and return an error if no manifest was found that matches the local platform. The following projects seem NOT to be affect due to the change in the code path of CheckAuthorization() since they are not using it: - cri-o - nerdctl - skopeo - buildah The impact on imgcrypt via ctr-enc is not so clear either since CheckAuthorization() is not called on the server side but by the ctr-enc client, thus can be modified easily. Resolves: containerd#69 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue containerd#69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to properly perform an authorization check on an image we need to know the platform to perform check when in cryptManifestList(). Extend the logic for cryptoOp == cryptoOpUnwrapOnly to skip over manifests that do not correspond to the local platform and return an error if no manifest was found that matches the local platform. The following projects seem NOT to be affect due to the change in the code path of CheckAuthorization() since they are not using it: - cri-o - nerdctl - skopeo - buildah - podman The impact on imgcrypt via ctr-enc is not so clear either since CheckAuthorization() is not called on the server side but by the ctr-enc client, thus can be modified easily. Resolves: containerd#69 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue #69 by adding a test case with a bash image that is only pulled for the local platform, so without --all-platforms. The test case will likey work on amd64 but does fail locally on a ppc64 host. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@dimitar-dimitrow Even though the code has been merged already, can you give it a try? |
@stefanberger Sorry, for the late response, the fix works as expected. Thanks! |
@dimitar-dimitrow I am going to create v1.1.4 once a few more things are merged. I will create a CVE referencing your report. Thanks. |
When a multi-arch index descriptor is provided to the imgcrypt's CheckAuthorization func (e.g. via image.Target()), the library iterates over the manifests it refers to with the cryptoOpUnwrapOnly option set to true to perform a check only. That causes the cycle to stop on the first manifest in the collection as the condition here will always be evaluated to true error-regardless. Additionally, if reading any of the referred manifest's children returns an errdefs.IsNotFound(err), the cycle will exit with a nil error, thus, the authorization check passes incorrectly.
Let's take for example the case where the cycle checks the first manifest in the collection (e.g. for amd64) on an arm/arm64 machine, the children of this manifest are not found since this is not the target platform and they are not pulled -> the authorization check passes incorrectly. This issue is rarely reproducible on an amd64 machine as usually, this is the first manifest in the index descriptor.
The text was updated successfully, but these errors were encountered: